Re: recent telnet vulnerability

[Balazs Scheidler <bazsi () balabit hu>]

> nuqneH,
>
> Back to my original question, do we know any firewall that _does_protect_
> (not _is_immune!_) this vulnerability?

Although my test environment is was not complete, as it seems the Telnet
proxy in the soon-to-be-released Zorp 1.0 stops the attack. Here's what I
did:

- downloaded exploit code from securityfocus.com (zp-exp-telnetd.c)
- it didn't work on my telnetd, however caused a SIGSEGV (I should have
  changed offsets)
- fired up Zorp with telnet proxy listening on port 2323 and forwarding
  requests to localhost:23, changed the exploit to connect to the proxy port
- launched the attack, the SIGSEGV didn't occur, Zorp logs show that some
  negotiations were rejected by the proxy (it allows only the required
  negotiations for telnet to work by default, but this can be changed by
  the administrator)

Zorp 1.0 is not yet released, a development version (0.9.1) can however be
downloaded, but it doesn't contain this proxy module. It's not yet decided 
whether the telnet proxy will be GPLd, or will only be available in the
commercial version.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards